Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
16-01-2025 22:04
General
-
Target
7b41932e8c7f59c1f3ecc539c3885fbc3e27a1da1224e5e0c1ead87463476155.apk
-
Size
1.9MB
-
MD5
f336c6d8bfeffc0483de2b47e93e87b1
-
SHA1
5c56ebd176342d238825bc7321cb71fe722062f0
-
SHA256
7b41932e8c7f59c1f3ecc539c3885fbc3e27a1da1224e5e0c1ead87463476155
-
SHA512
43b21042eb1487b8d49e5548442d932b4854c4ad7ea27722b300d7d260444c4d88637d75c62d986c2fb3915a1e4bd76d47785b993054683086b5ecf596e848d2
-
SSDEEP
49152:NeossZEWjD+nnofZoiV9LsqwN7FI9LMS7D7v/77rL7U/jYuxpDyZpNg4APFdHHme:Ne3sZLjIoRoiV9HwNyJXbD7rL7UbYmi6
Malware Config
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.chief.strategy1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.chief.strategy/app_parrot/AthXSPA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.chief.strategy/app_parrot/oat/x86/AthXSPA.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5fa7e31e31906e48d59c921cd2048079a
SHA10cc6d123c96d852d797a40f4fdfbfa64ea4450bf
SHA2567150e1730f823b4c29047433c705aa798c01b20a3737c4814621e82838b97dba
SHA51245ddd47cfe9bfa5143c7c7106906c53b052a7591fbe87c542441c17bd2796903f0254154fdf3ab7328c862d5636b3b071a019236c1c480187de3017115f3b01e
-
Filesize
153KB
MD54de591f0d2cda26b3a3043d5ac31450c
SHA16a80082ebbc1e5b6f03b01792f57013701183548
SHA2563486493a2308d868f59a9cad8fc930c751b200f2a8e1b552f65d2f0d6dd368aa
SHA51209d3e2c76619d3fbcfb9389017299b254f3d2bdf98ad977fabe3a14b2339743148f4dc9d18a92925cfd00ef4f0e4d00109fb4981f27b8279eff2b9336604c5e5
-
Filesize
450KB
MD55d55982932c994363924e55a662e873b
SHA10fd56b7450335e7c817d16d4756400aea7719b8c
SHA25617a32d532b0faf38f73fcb102b20f4c9257159d185a25b4b6a79a9944a8a3141
SHA512dca1f9a1d10a6374bf05a07b4aec563b0ddbb30f6a5db2f0d228ae1697c3bcffcaa6b5056d8eba2b2bbb79efbcfa0a7c1a1b842b0d2bb246a2788215059d220c
-
Filesize
450KB
MD55b33d83ac8c0d9d8812ffc68a97f9f59
SHA18059c2da92b258bc9d7098d635ec3f83fc451bcd
SHA256a1b5c0fad3ec69d1ba1ff5bc5a942ec071b497c6ed9b8e522b98cfd4ab170ad4
SHA5125deab7a66b1c297a05361f59c619303a4f5fde502273c0723acfa5ddbb6032b6475bac6351b65ecd20ca8e0159550cc71f403e3b05dfdccbd40e214f41a8d574